The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BIND versio security threat

Discussion in 'Bind / DNS / Nameserver Issues' started by matins007, May 16, 2009.

  1. matins007

    matins007 Member

    Joined:
    Jan 15, 2009
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    My website is scan on a regular basis for PCI compliance. It was all working fine for the last few monh but yesterday they found something new.

    >>>>
    BIND EVP_VerifyFinal() / DSA_do_verify() Return Checks Risk Port/Protocol ID

    Synopsis:
    The remote name server is affected by a signature validation weakness.

    Solution:
    Upgrade to BIND 9.3.6-P1 / 9.4.3-P1 / 9.5.1-P1 / 9.6.0-P1 or later.

    Description:
    According to its version number, the remote installation of BIND does
    not properly check the return value from the OpenSSL library functions
    'EVP_VerifyFinal()' and 'DSA_do_verify()'. A remote attacker may be
    able to exploit this weakness to spoof answers returned from zones for
    signature checks on DSA and ECDSA keys used with SSL / TLS.
    >>>>

    My Update Config setting is set to Automatic (CURRENT tree). I even did a manual update but my versionis still BIND 9.3.4.

    Is there another solution then upgrading this b hand in SSH. Are they just freaking out for nothing?

    Thanks for your help on this.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's probably a false-positive due to back-porting by the OS provider. What OS are you running? If you're running bind v9.3.4 my guess is that it's CentOS v5.3 or RHEL v5.3 (i.e. bind-9.3.4-10.P1.el5), if so, and you have your OS up to date, then it's likely a false-positive.

    One good measure with bind is not to announce its version number. You can prevent this by editing /etc/named.conf (or /var/named/chroot/etc/named.conf if you run bind-chroot) and in the options {} section set:

    version "not currently available";

    Then restart named.
     
Loading...

Share This Page